Over the last few days millions* of WordPress pages have been hacked and defaced by various hacking groups.
This high-risk vulnerability has been known to the WordPress security teams for a while, and they tried to keep it secret and even released an update (on 26th January) to fix the issue. However as soon as the hackers found out that this WordPress update contained a security patch, it didn’t take them long to exploit websites that haven’t installed it.
If you haven’t got a WordPress website then you will not have been affected. Also, if you are on version 4.7.2 (released 26th January 2017) then you should be OK. However if you haven’t made this update and if you are running WordPress 4.7.0 or 4.7.1 then you are at risk and could be attacked at any time.
Technical bits: The REST API exploit allows attackers to bypass authentication systems via HTTP request and change the content and titles of WordPress pages.
If you have any questions about the security of your website, or if you have been compromised and want it fixed, then please get in touch.
This is one of the many reasons why we don’t usually recommend WordPress. Yes it can give you a lot of website quickly and easily but we usually find that the compromises made are too big (why WordPress is ridiculous). That being said, we do maintain and improve a lot of WordPress-based websites for clients, and have a lot of knowledge in this area, being one of a limited amount of web developers who’ll happily repair and take over the management of hacked sites.
We are Webbed Feet UK, we care about security.
* WordFence have documented over 1.5 million pages (and counting), but of course the only represent a small portion of all WordPress websites, and as such considerably more will have been attacked.